MonthFebruary 2018

Review: Modern Stock Markets

Originally published in AlgosForCryptos on

I have some earlier experience with trading and stock exchanges. This review of stock markets is intended to provide background information to my comparison between markets for cryptos and today’s stock markets.

It’s a Network

Today’s stock trading takes place in a vast network of computers, communicating over the public internet and via private dedicated high-performance networks. The regulations, processes, and systems in use have been built over many years and are based on contributions of many individuals.

A so-called “order-matching” engine is located in the center of the trading network. It is an instance of specialized software tasked to “exchange” money for stocks and vice verse. Each such engine is owned and maintained by a company providing stock exchange services a.k.a. “The Stock Exchange”.

Services Provided by a Stock Exchange Company

  • Maintenance and operation of the order-matching engine software — e.g. market participants pay trading fees to send order messages and receive the results of the work performed by the matching engine.
  • Sale and distribution of market data necessary for all other interested parties to “see” what is going on “inside” the order-matching engine.
  • Initial acceptance and ongoing review of companies whose stocks can be traded — e.g. a reputable stock exchange would reject an application by your local doughnut shop because the exchange sets various conditions such as minimum yearly revenue etc.
  • Initial acceptance and ongoing review of companies which are allowed to trade — e.g. a reputable stock exchange would reject your trading application because they have minimum available capital requirements, certifications etc.

In other words, each stock exchange company has a department of people responsible to collect information about the companies whose stocks are traded in order to reduce the likelihood of financial fraud like another Enron or WorldCom.

Moreover, other companies submit to a rigorous review of their finances and capabilities for the privilege to become trading members and to connect their internal trading systems to the stock exchange’s order-matching engine. This group is called “Exchange Members” and the stock exchange company is confident that its members do have both money and stocks that they claim to have when they send orders to the matching engine.

Each exchange member is allowed to use their access privileges to make money as long as they adhere to applicable laws as well as regulations set by the exchange. These members may decide to buy and/or sell specific stocks using their own money and profit on the difference in price. The members can also re-sell access to the trading facilities and act as trading “brokers” on anyone’s behalf, including mine or yours.

Process: Steps to Trade Stocks

  1. We must first find a company already a member of an exchange and also in the business of providing stock brokering services.
  2. Once we create an account at our broker of choice and establish our identity, we have to transfer cash from the bank before the broker’s trading systems will allow us to create orders (and/or transfer our stocks from our previous broker).
  3. Upon deposit, we use the public internet to login and type buy/sell/short/, limit/market order(s). This information is transmitted from the browser to the broker’s order & account management system(s). So far, the overall system performance is mostly subject to the personal computer and the ISP.
  4. Broker’s account management system validates the funds necessary to fulfill the order and their order management system (OMS) validates its adherence to rules set forth by the destination matching engine.
  5. Next, the OMS will “rename” the order and transmit it to the exchange for processing by their order matching engine and do so over a high-performance network dedicated to each individual exchange member. The order message will be formulated in a way to identify the broker but will not have any information about its original “instigator”. In other words, the stock exchange company computers only know their members. Nowadays, the broker’s OMS is most often located in the same data center supporting the stock exchange.
  6. Meanwhile, another broker has received a similar but opposite order, in the sense that I wanted to Buy 100 shares of AAPL for $50 whereas “they” are looking to Sell 100 shares of AAPL (for best price).
  7. The order matching engine will match orders from two of its brokers and notify the brokers what happened. Since the stock exchange membership department has already certified both brokers, the engine trusts that my broker will pay $$ and also trusts that the other broker does have 100 shares of AAPL.
  8. In real time or at least at the end of the day, the exchange and all the brokers will net all trades, net all accounts, transfer all money and all shares between brokers and do the reporting to various regulatory bodies (e.g. prevention of insider trading).
  9. Brokers will also collect fees from clients in order to pay for their own services and for services rendered indirectly by other participants in the marketplace — e.g. the stock exchange trading fees, stock ownership registration fees etc.
  10. The trade is finalized when my broker becomes the owner-representative of record for quantity of +100 shares of AAPL as recorded by a depository records corporation maintaining the custody all shares (DTCC in US). Should AAPL decide to pay a dividend AAPL shareholders, they will contact the custodian to begin the process of transferring the dividend amounts to brokers and their clients.

In case of problems, we can call our broker(s) and their client services team will undertake the necessary actions to convince us that we are mistaken and everything is fine indeed, or they will investigate the state of their account and order management systems and might even get in touch with the exchange since the exchange is not even aware that I exist (as it was intended).

The stock trading ecosystem is a hub-and-spoke network with 3 layers:

client <-> broker <-> exchange <-> other broker <-> other client

Centralized vs. Decentralized

The stock exchange company manages data, connections, and trust-relationships with a relatively small number of brokers and can do so very efficiently for a great number of fast transactions. Likewise, each broker supports only their own clients and not the whole “universe” of individuals interested/participating in stock trading. Lastly, the DTCC records current quantities of shares represented by brokers who are then responsible to maintain records of ownership by their specific clients.

The alternative to this tiered-centralized approach would be to maintain one record of ownership for each specific share — e.g. 5.13 billion records for all of AAPL + another 606 million records for GOOG + 482 million records for AMZN and so on for about 4,333 publicly traded companies in the US alone.

Or, we could encode something similar in a public ledger “file” stored in a “network” and whose maintenance is distributed amongst voluntary participants who choose to perform a utility “bookkeeping” role in exchange for a (relatively small & well deserved) fee: eureka — I say we call this a blockchain!

Getting back to the stock trading ecosystem, it is important to cover additional characteristics, especially for readers with experience in trading on N.American or European markets.

In most countries/economies and for most companies, there is one (regional) stock exchange company as the only venue available for trading of stocks issued by companies incorporated (registered) in that specific jurisdiction — e.g. all Brazilian companies with publicly available shares are traded on the B3 exchange, only (in São Paulo). In such cases, any broker you choose will always send your (renamed) order to the same exchange order matching engine and your trading will be subject to fees set by one such company only.

Regulations in N.America and The EU

Trading ecosystems in N.America and the EU are more competitive and therefore both more complicated and more flexible: shares issued by (almost) all companies can be traded on multiple exchanges simultaneously. You could buy 100 shares of AAPL on BATS exchange and immediately sell them on NASDAQ or NYSE. This means that your broker must undertake costs for network integration with multiple exchanges if the broker wants to enable their clients’ maximum access to liquidity and best pricing fees as each exchange collects slightly different trading fees for different trading scenarios.

Since each order matching engine establishes prices based on the equilibrium of buy and sell orders available to that engine only, it is possible that the best prices might be different on each of the 11 main stock exchanges trading in the US. In order to protect the trading public, US regulators have initiated the creation of price protection mechanisms: the result is that all US exchanges are networked to see each other’s best prices and will forward their orders to the matching engine currently “hosting” the best price, better than their own price. Moreover, several professional trading companies specialize in price arbitration by monitoring market data feeds from multiple exchanges in order to buy/sell directly across exchanges and profit while “forcing” the price equilibrium across the entire ecosystem.

The net result is that all best prices are (almost) always identical on all US stock exchanges and brokers don’t have to incur integration costs with all 11 trading venues.

In Europe, the situation is similar in the sense that one can trade most of the big stocks on 2 or 3 main exchanges, but these trading venues are not networked to forward orders to each other. Since the brokers compete for clients’ business, the brokers are incentivized to connect to each venue and utilize Smart Order Routing (SOR) applications to achieve the best prices for their trades.

In the US and in Europe, the stock custodian services and banks are able to settle stocks and cash from all trades across multiple exchanges (and borders) and the best prices for all stocks are (almost) always identical on all trading venues.

Stock Markets: Structure & Organization

  • Your bank might have a division providing brokerage services or you have to transfer money to another company specializing in such services.
  • Your brokerage company holds your trading cash and stocks.
  • The broker represents & “vouches” for you at the stock exchange.
  • The stock exchange is run by another company which has no idea who you are: they only know & trust their registered brokers.
  • Your broker may offer additional services to help you get more out of your trading activity, such as advanced order types implemented in the broker’s computers, lending of capital for (margin) trading, investment advice, and research materials etc.
  • In case of issues, your broker will investigate broker’s own systems.
  • If necessary, your broker will also speak with the exchange to investigate any possible issues there.
  • All best prices for individual stocks are (almost) always identical on all stock exchanges that trade respective stocks.
  • Cash & stock settlement (transfer) for all trades runs through a central provider / third party which is utilized by all brokers and stock exchanges.
  • Brokers, exchanges and settlement services act together to make cash transfers, stock ownership transfers and to eliminate fluctuations of best prices across multiple trading venues.
  • When you trade from your computer, you are communicating with your broker over the public internet and the broker is communicating with the stock exchange over a dedicated high-performance network.
  • Brokers, stock exchanges, and custodian companies are regulated by each other and by governments in their jurisdictions.
  • Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

Genesis Post: Low Cost WordPress on AWS with SSL and CloudFront



  • Setup a modern blog about my work in the crypto / trading domain.
  • Learn (more about) the WordPress platform & ecosystem.
  • Leverage my experience with Amazon / AWS while making use of all the relevant free-tier services.
  • Achieve the lowest total cost.

A “recipe” for these goals:

  1. Use because they sell .com domains for USD 8.53.

    HOST records management for A, CNAME, MX etc. types, is included as well as a free first-year of domain privacy.

    Alternative to free HOST records management would be to use AWS/Route53 for USD 6/year (minimum) since Rout53 does not have a free-tier.

  2. Use (affiliate) for email/inbox-only hosting with unlimited domains & emails plans starting at ~USD 25/ year: much cheaper than Google.Apps at USD 5/inbox-month.
  3. Amazon / AWS hosting & free-tier services: Bitnami’s WordPress AMI on EC2; CloudFront CDN to improve performance for visitors around the globe; S3 storage for WordPress caching & backup; free SSL cert issued by Amazon, to get the cute green lock in the address bar.
  4. I like Medium’s style so I selected a free WordPress theme Wilson which I thought would let me deliver my content in a similar way: thank you Anders Norén.

Valuable “cooking” lessons I learned:

  • AWS’ SSL certs require domain ownership validation. You can choose to do so via a CNAME entry or by a confirmation email sent to the WHOIS contacts. My first attempt using the CNAME, timed out after 72h and I never understood what went awry. Luckily, the confirmation email showed up immediately and I was validated in mere minutes.
  • RTFM: AWS certs for use with CloudFront MUST best requested/issued in the AWS/Virginia region.
  • When browsers ask for https sites or are redirected (“forced”) from http-to-https, the browsers “expect” all links/content from the respective site/domain to be also delivered via “https”. Otherwise, we will get a security warning and the browser will “refuse” to display the page due to its mixed security content.
  • WordPress serves all its content with fully qualified absolute URLs. Therefore, all content is http only or https only, depending on the protocol defined in the site name configuration.
  • I setup CloudFront with the SSL cert and configured it to force http-to-https for all visitors irrespective of the protocol they might have requested. Therefore, CloudFront passes all requests to my EC2/WordPress “origin” also using https. In order for the WordPress to return all pages and their links with https only, I had to setup WordPress to also use https only and respond to CloudFront with the WordPress https & cert. Allowing WordPress to still use http results in mixed security content issues when pages are processed by the clients’ browsers.
  • Since CloudFront does not accept https from “self-signed” certs, I had to install a legitimate “Let’s Encrypt” SSL cert specific to my domain, on the EC2/WordPress server. Originally, I hoped to avoid this as I mistakenly assumed that the AWS’ cert on CloudFront would suffice.
  • I wanted the AWS’ cert for the entire site. Therefore, I had to configure CloudFront to use my own domain name in the “alternative domains” setting. When I attempted use CF’s default domain in the WordPress CDN/cache settings I got “could not contact origin” errors.
    Btw, CF’s default domain name goes into host/CNAME records (“@” and “*”).

Conclusions & unresolved “mysteries”:

  • I was somewhat wrong about https and caching. When I had to setup https on the EC2, I thought that the CDN would not cache any assets. Page performance by GTmetrix and Response/HEADERS indicate that content is being served by the CDN. I have configured an S3 “origin” to offload some assets for caching but I am not sure if CF is using S3 over http or EC3 over https and then caching after decryption.
  • My EC2 does have to do more processing than I originally hoped because it must encrypt/decrypt all its communication with CloudFront.
  • Domain host records use CNAME pointed at the CloudFront’s domain for my distribution. Without CF I would use A records and point them to the EC2’s ip address. If the dynamic content is always served by the EC2 and never cached by the CF due to https, does that mean that I am wasting an extra network hop between the CDN and EC2?
  • If I am “wasting” a hop perhaps the “speed” of the AWS’ network between CF and EC2 makes up for the slowness of the “wild” internet between the browser and EC2?
  • I used BackWPup plugin to setup WordPress backup to S3. It seems that the free version has a bug which prevents the plugin from working with S3 buckets in US-Ohio region. Instead, I set it to use the “US-Standard” setting which corresponds to the US-N.Virginia region.
  • W3 Total Cache plugin does not “play” well with CloudFront backed by S3. It was pushing all wp-includes and wp-content files to S3 each time it was supposed to push just those that have changed. The consequence was that it quickly spent the entire free-tier provision for S3 operations. After a lot trial-and-error I resolved the issue by switching off the setting that says:

    Force over-writing of existing files / If modified files are not always detected and replaced, use this option to over-write them

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools: